Ransomware has continued to be a significant threat not just to the education and research sectors but to all industries this year. A new ransomware group, known as Hive, is rising in prominence due to their sophisticated tool set and targeting of hospitals and critical infrastructure.
As this group poses a relevant threat to our sector, this is an informational alert and contains guidance to mitigate against the reported techniques this group utilises to attack victims.
Most commonly the attacks will start with a phishing attack with malicious attachments to gain access and download an initial payload. They often utilise RDP for lateral movement to spread across the network but have also been seen to use vulnerabilities in software products.
Like many ransomware groups now, Hive use a double extortion technique, they will exfiltrate interesting data before encryption, this allows the threat of publication to their leak site if the victim does not pay.
Recommended actions:
- Backup critical data securely– Multiple copies including offline
- Use multi-factor authentication for all users especially remote access services
- Ensure all devices and applications are patched and up-to-date
- Install and keep up-to-date anti-virus on all hosts
- Search infrastructure for below IOCs and block where possible
- Monitor services for abnormalities
- Educate/remind users about phishing/phishing techniques
Key IOCs:
- 46.166.161[.]93
- 176.123.8[.]228 – Cobalt Strike Beacon
Files Created:
- Hive.bat
- Shadow.bat
File Extensions Added:
- .key.*
- .key.hive
Questions:
If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk